In a report issued on March 26, the FTC proposes actions business should take to safeguard consumers' online privacy - including adoption of a do-not-track system - and said Congress should make participation mandatory.

The report, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers, calls on companies handling consumer data to implement recommendations for protecting privacy, including:

Privacy by Design: Companies should build in consumers' privacy protections at every stage in developing their products, including reasonable security for consumer data, limited collection and retention of such data and reasonable procedures to promote data accuracy.

Simplified Choice for Businesses and Consumers: Companies should give consumers the option to decide what information is shared about them and with whom. This should include a do-not-track mechanism that would provide a simple, easy way for consumers to control the tracking of their online activities.

Greater Transparency: Companies should disclose details about their collection and use of consumers' information, and provide consumers access to the data collected about them.

"If companies adopt our final recommendations for best practices - and many of them already have - they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy," FTC Chairman Jon Leibowitz said in a statement announcing the report. "We are confident that consumers will have an easy to use and effective do-not-track option by the end of the year because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don't."

Martin Abrams, executive director of the industry-supported Centre for Information Policy Leadership that's run by the law firm Hunton & Williams, characterized the report as definitive, adding that the FTC guidance sets down a direction that is concrete and linkable to data protection in the rest of the world. "For the first time," Abrams said, "the FTC ... said a person's hard drive is their property and they should have control over it. This is new. It gives us a sense of the direction of privacy and data protection in the U.S."

Attorney Ronald Raether suggested the FTC guidance, in reality, has the effect of being a law. "Any company that doesn't meet the general requirements of the report could find themselves facing an enforcement action by the FTC," said Raether, a partner at Faruki Ireland & Cox in Dayton, Ohio.

In fact, that's why one of the FTC's four commissioners voting on the report objected to it. Although characterized as "best practices," Commissioner Thomas Rosch said the report's recommendations might be construed as federal requirements: "It makes no difference whether the federal requirement is in the form of enforceable codes of conduct or in the form of an act of Congress. Indeed, it is arguable that neither is needed if these firms feel obliged to comply with the best practices or face the wrath of the commission or its staff."

Not all business would be affected by the privacy framework presented in the report. The FTC said it shouldn't apply to companies that collect data from fewer than 5,000 consumers a year and don't sell that information to third parties.

The FTC, in the report, calls on Congress to enact legislation to provide consumers with access to information held by data brokers. The report also calls on data brokers that compile consumer data for marketing purposes to explore creation of a centralized website where consumers could get information about their practices and their options for controlling data use.

A preliminary staff report was issued in December 2010, and since then the FTC received recommendations from more than 450 individuals and organizations.

To go with the new recommendations, the FTC announced a series of privacy workshops to explore issues tied to comprehensive tracking in the second half of the year as well as one on May 30 to address how mobile privacy disclosures can be short, effective and accessible to consumers using portable devices.